How to Configure IIS for External Access Behind a Router: Port Forwarding and Firewall Setup Guide


4 views

First, let's ensure your local IIS setup is properly configured. Run this PowerShell command to check your IIS bindings:

Import-Module WebAdministration
Get-WebBinding | Select protocol, bindingInformation

You should see an entry like:

http    *:80:

The WRT54G2 router requires specific NAT settings. Confirm your port forwarding rule with these exact parameters:

Application: HTTP
External Port: 80
Internal Port: 80
Protocol: TCP
IP Address: 192.168.1.102
Enabled: ✔

Before testing externally, verify port forwarding works internally using curl:

curl -I http://localhost/index.php
curl -I http://192.168.1.102/index.php
curl -I http://[your_public_ip]/index.php

Create a precise firewall rule using netsh:

netsh advfirewall firewall add rule name="IIS Web Server (TCP-In)" 
    dir=in action=allow protocol=TCP localport=80 
    remoteip=any profile=any enable=yes

To use port 8080 instead of 80, make these changes:

  1. IIS Binding: 
    Set-WebBinding -Name 'Default Web Site' -BindingInformation "*:80:" -PropertyName Port -Value 8080
  2. Router Forwarding: Change external port to desired number (e.g., 8080)
  3. Firewall Rule: Update localport parameter

If still inaccessible, try these diagnostic commands:

telnet [your_public_ip] 80
netstat -ano | findstr :80
netsh http show iplisten

Many residential ISPs block port 80. Test with these alternative ports:

  • 8080
  • 8888
  • 443 (HTTPS)

Ensure your PHP handler is properly configured:

<configuration>
    <system.webServer>
        <handlers>
            <add name="PHP-FastCGI" 
                 path="*.php" 
                 verb="*" 
                 modules="FastCgiModule"
                 scriptProcessor="C:\PHP\php-cgi.exe"
                 resourceType="Either" />
        </handlers>
    </system.webServer>
</configuration>

For changing public IP addresses, implement DDNS with this script:

$currentIP = (Invoke-WebRequest ifconfig.me/ip).Content
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" 
    -ServerAddresses ("8.8.8.8","$currentIP")

Before exposing your IIS server externally, ensure it works locally. You've already confirmed this by:

  • Accessing http://localhost/index.php
  • Testing via local IP http://192.168.1.102/index.php

For Linksys WRT54G2 routers, proper port forwarding requires:

1. Access router admin (typically 192.168.1.1)
2. Navigate to Applications & Gaming → Port Forwarding
3. Add rule:
   - Application: HTTP
   - External Port: 80
   - Internal Port: 80
   - Protocol: TCP
   - IP Address: 192.168.1.102
   - Enable: Checked

Create an inbound rule with PowerShell:

New-NetFirewallRule -DisplayName "HTTP Inbound" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow

Or manually through Windows Firewall with Advanced Security.

Important troubleshooting steps:

  • Test from external network (mobile data works well)
  • Use online port checkers like YouGetSignal
  • Check router logs for blocked attempts

To use port 8080 instead of 80:

  1. In IIS Manager: 
       - Right-click site → Bindings
   - Add HTTP binding with port 8080
  2. Update router port forwarding: 
       External Port: 8080 → Internal Port: 8080
  3. Firewall rule: 
       New-NetFirewallRule -DisplayName "HTTP-8080" -Direction Inbound -LocalPort 8080 -Protocol TCP -Action Allow
  • ISP blocking port 80 (common for residential connections)
  • Dynamic DNS needed if IP changes frequently
  • NAT loopback/hairpinning issues when testing internally

When exposing IIS externally:

1. Enable HTTPS with valid certificate
2. Implement IP restrictions if possible
3. Keep Windows and IIS updated
4. Consider using non-standard ports
5. Monitor IIS logs regularly